Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn authentication and authorization using pix 7.2 and acs

hi , i am using a pix 7.2 and acs 3.2.. i want to perform remote access vpn authentication n authorization thrgh aaa using radius..i am abl to use it when i am using local group policy on pix, but i am nt able to do it using acs. i was trying to use cisco avpair to send the parameters but its nt happening.some body please tell me the steps to proceed .

17 REPLIES
Cisco Employee

Re: vpn authentication and authorization using pix 7.2 and acs

Hi,

What attributes are you trying to push ?

does the aaa server get any hits when trying to authenticate ?

Regards,

Vivek

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

hi vivek, i am successfully able to authenticate thrgh acs, and clients are also geting the ip address from the acs ip pool defined.. the problem is i was trying to push mode cfg attributes like ipsec:firewall=0, ipsec:pfs=1 etc.. thrgh cisco avpair radius attributes..but its nt happening

Cisco Employee

Re: vpn authentication and authorization using pix 7.2 and acs

Hi,

Can you put in your config here ?

Regards,

Vivek

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

hi below is the desired config related to aaa on pix..

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

access-list nonat extended permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list nonat

aaa-server Radius protocol radius

aaa-server Radius (inside) host 192.168.10.10

key xxxxxx

tunnel-group ciscovpn type ipsec-ra

tunnel-group ciscovpn general-attributes

authentication-server-group Radius

authentication-server-group (inside) Radius

authorization-server-group Radius

tunnel-group ciscovpn ipsec-attributes

pre-shared-key *

Cisco Employee

Re: vpn authentication and authorization using pix 7.2 and acs

Hi,

Since you haven't given any group-policy config, I am assuming you haven't configured any external group policy on the ASA.

See the following link :-

http://www.cisco.com/en/US/products/ps6121/products_configuration_guide_chapter09186a00806a81e3.html#wp1133706

Once you have configured an external group on PIX, you can push required attributes from the ACS.

HTH.

Regards,

Vivek

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

hi vivek , i had also tried that i had made one external group with name guest_group and a password of guest.. i mapped it into my tunnel-group. now in acs vpn users belong to guest_group only, in that i defined these cisco av pair attributes:

vpngroup Password = "guest", Service-Type = Outbound

ipsec:firewall=1

ipsec:include-local-lan=1

Cisco Employee

Re: vpn authentication and authorization using pix 7.2 and acs

Hi,

You would need to push attributes like client firewall, Split Tunneling Policy etc using attributes available under the RADIUS (VPN 3000/asa/pix 7.x+)

You can find all attributes under Interface configuration->RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)

So instead of using cisco av-pair (026/009/001) you need to use pre defined attributes like 026/3076/001.

Regards,

Vivek

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

yeah thanks , for ur reply i found in the guide that for older versions of acs other than 4.0 , we have to push vpn conc attributes.. this is not applied for acs 4.0..

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

I am facing almost the same problem.

I need to authenticate my remote clients to ASA through ACS.

remote vpn is working fine using the local username, but authentication through ACS is not working with me.

I have added my asa as an aaa client in the ACS.

and my configs in the asa :

aaa-server vpn protocol tacacs+

aaa-server vpn host x.x.x.x

key ****

tunnel-group RemoteTunnel general-attributes

authentication-server-group (inside) Radius

authorization-server-group Radius

any dieas?

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

hi u have to attach external group policy to the tunnel group for doing the external acs authentication .. and the grp name shld be the username on the acs , bcz acs sees it as a username being to be the authenticated...

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

can you send an example?

Cisco Employee

Re: vpn authentication and authorization using pix 7.2 and acs

Hi,

External authentication does not require an external group. External group is required when you want to push group policies from the Radius Server.

We can have an internal group forward auth request to the Radius server.

You need to change your config as follows :-

aaa-server vpn protocol radius

aaa-server vpn host x.x.x.x

tunnel-group RemoteTunnel general-attributes

authentication-server-group vpn

Make sure that you have added the ASA as a aaa client in ACS and set it to authenticate using RADIUS.

HTH

Regards,

Vivek

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

yeah he is right,,,for external authentication we need only to attach aaa server to the tunnel group..if we want to push some attributes to the client then we need to to do the above.. srry i thght that u want to have authorization also..

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

Please go on about the authorization on the pix. I have a group ACS group DEB that I mapped to an NT group DEB. I can authenticate to a pix using through VPN, if I am assigned that NT group, but I can also authenticate if I am not part of the DEB group using the same DEB.pcf. I was hoping that the group mapping would be my solution, but that is not the case.

Elaborate a tad on the authorization setup on a pix please.

Thank you

Dwane

Cisco Employee

Re: vpn authentication and authorization using pix 7.2 and acs

Hi,

Group mapping would really not be the answer for your problem.

What you will have to do is configure NARs on all groups of ACS which do not need access to the pix. On the NAR deny access to the pix.

Regards,

Vivek

New Member

Re: vpn authentication and authorization using pix 7.2 and acs

And setting up the NAR will allow me to use group mapping as well?

I am told that Dynamic ACLs are the way I need to go because if the person who is not on the NT Group logs into the VPN and is part of the default group, then they will be authenticated to the Pix.

I think group mapping via NT and ACS are hosed and authorization in radius is not working as described.

Thanks

Dwane

Cisco Employee

Re: vpn authentication and authorization using pix 7.2 and acs

Hi,

Dynamic ACLs will allow the user to get in but at max you can stop him from going anywhere after logging in.

NAR will deny the user access to the vpn all together.

ACS is working as designed. We need to configure authorization as req. and that is what you can do using ACLs or NARs

Regards,

Vivek

287
Views
0
Helpful
17
Replies